I started using PHP a couple of months ago. For the sake of creating a login system for my website, I read about cookies and sessions and their differences (cookies are stored in the user's browser and sessions on the server). At that time, I preferred cookies (and who does not like cookies?!) and just said: "who cares? I don't have any good deal with storing it in my server", so, I went ahead and used cookies for my bachelor graduation project. However, after doin' the big part of my app, I heard that for the particular case of storing user's ID, sessions are more appropriate. So I started thinking about what would I say if the jury asks me why have you used cookies instead of sessions? I have just that reason (that I do not need to store internally information about the user). Is that enough as a reason? or it's more than that?
Could you please tell me about advantages/disadvantages of using cookies for keeping User's ID?
感谢大家在StackOverflow!
博士TL;
| Criteria / factors |
Sessions |
Cookies |
| Epoch (start of existence) |
Created BEFORE an HTTP response |
Created AFTER an HTTP response |
| Availability during the first HTTP request |
YES |
NO |
| Availability during the succeeding HTTP requests |
YES |
YES |
| Ultimate control for the data and expiration |
Server administrator |
End-user |
| Default expiration |
Expires earlier than cookies |
Lasts longer than sessions |
| Server costs |
Memory |
Memory |
| Network costs |
None |
Unnecessary extra bytes |
| Browser costs |
None |
Memory |
| Security |
Difficult to hijack |
Easy to hijack |
| Deprecation |
None |
Now discouraged in favor of the JavaScript "Web Storage" |
细节
优点和缺点是主观的。它们可能会导致一种两分法(对一些人来说是优势,但对另一些人来说是劣势)。相反,我列出了可以帮助你决定选择哪一个的因素。
第一个HTTP请求-响应期间的存在
假设您是服务器端人员,希望同时处理会话和cookie。第一次HTTP握手是这样的:
浏览器准备HTTP请求——SESSIONS:不可用;COOKIES:不可用
浏览器发送HTTP请求
服务器接收HTTP请求
服务器处理HTTP请求——SESSIONS:已存在;饼干:投
服务器发送HTTP响应
浏览器接收HTTP响应
浏览器处理HTTP响应——SESSIONS:不可用;饼干:存在
在步骤1中,浏览器不知道会话和cookie的内容。
在步骤4中,服务器可以有机会设置会话和cookie的值。
后续HTTP请求-响应期间的可用性
浏览器准备HTTP请求——SESSIONS:不可用;饼干:可用
浏览器发送HTTP请求
服务器接收HTTP请求
服务器处理HTTP请求——SESSIONS:可用;饼干:可用
服务器发送HTTP响应
浏览器接收HTTP响应
浏览器处理HTTP响应——SESSIONS:不可用;饼干:可用
有效载荷
假设在一个网页中,你加载了example.com托管的20个资源,这20个资源将携带关于cookie的额外字节信息。即使它只是一个CSS或JPG图像的资源请求,在通往服务器的途中,它仍然会在它们的头文件中携带cookie。对JPG资源的HTTP请求应该携带一堆不必要的cookie吗?
弃用
会话是不可替代的。对于cookie,在浏览器中存储数据有许多其他选项,而不是老式的cookie。
用户数据的存储
会话对于存储用户数据更安全,因为最终用户不能修改它,只能在服务器端进行设置。另一方面,cookie可能被劫持,因为它们只是存储在浏览器上。
SESSIONS ENDS WHEN USER CLOSES THEIR BROWSER,
COOKIES END DEPENDING ON THE LIFETIME YOU SET FOR IT. SO THEY CAN LAST FOR YEARS
这是你选择的主要区别,
如果你想让id长时间被记住,那么你需要使用cookie;否则,如果你只是想让网站识别用户的访问,那么只有会话是可行的。
会话存储在php服务器将生成的文件中。为了记住哪个文件是针对哪个用户的,php还将在用户的浏览器上设置一个cookie,保存这个会话文件id,这样在用户下次访问时,php将读取这个文件并重新加载会话。
现在php默认每隔一段时间清除会话,并且会话的命名约定使其自动过期。此外,一旦浏览器关闭或历史记录被清除,浏览器将不会保留保存会话id的cookie。
值得注意的是,现在的浏览器还支持另一种存储引擎,如LocalStorage, SessionStorage和其他webdb引擎,javascript代码可以使用这些引擎将数据保存到您的计算机中以记住您。例如,如果你打开Facebook内部的javascript控制台,并输入“localStorage”,你会看到Facebook使用的所有变量来记住你没有cookie。
